Europe
🇫🇷CNILDGCCRFAMFACPR
AI governance in France.
France uses a multi-regulator approach to the EU AI Act — with DGCCRF as the single point of contact, CNIL for data protection AI, and sector authorities for their domains. France 2030 positions the country as a sovereign AI leader. The EU AI Act applies in full.
Key facts for organisations
- ▸France was central to EU AI Act negotiations and achieved several amendments including protections for national security exemptions and stronger research carve-outs
- ▸CNIL published specific AI guidance in 2023–24 on GDPR compliance for generative AI and on AI in workplace monitoring — among the most detailed national supervisory guidance in Europe
- ▸France uses a multi-regulator model for EU AI Act enforcement: DGCCRF is the single point of contact, with CNIL handling data protection AI, ACPR overseeing financial AI, and sector authorities responsible for their domains
- ▸France's national AI strategy (France 2030) has committed over EUR 1.5 billion in public funding to AI across two phases (2018–2022 and 2022–2025), with a focus on sovereign French AI capability including the Mistral AI partnership
- ▸The EU AI Act applies in full to French organisations and to non-EU organisations whose AI systems affect people in France
Key regulators
CNIL
Commission Nationale de l'Informatique et des Libertés
France's data protection authority — GDPR enforcement, AI-specific guidance including on biometric AI, automated decisions, and workplace monitoring
DGCCRF
Direction générale de la Concurrence, de la Consommation et de la Répression des fraudes
France's single point of contact under the EU AI Act and market surveillance coordinator — responsible for coordinating AI Act enforcement across sector regulators
AMF
Autorité des marchés financiers
Financial markets regulator — oversight of AI in trading, investment advice, and financial product distribution
ACPR
Autorité de contrôle prudentiel et de résolution
Banking and insurance prudential supervisor — AI in credit, underwriting, and systemic risk assessment
EU AI Act applies in full to French organisations
French organisations are subject to the full EU AI Act obligations — including prohibited practices (from February 2025), GPAI model rules (from August 2025), transparency obligations (from August 2026), and high-risk AI conformity requirements (from December 2027 for Annex III, August 2028 for Annex I). The DGCCRF acts as France's single point of contact; sector regulators including CNIL, ACPR, and domain-specific authorities handle enforcement in their areas.